curl/lib/cookie.h

#ifndef HEADER_CURL_COOKIE_H
#define HEADER_CURL_COOKIE_H
/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.haxx.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ***************************************************************************/
#include "curl_setup.h"

#include <curl/curl.h>

struct Cookie {
  struct Cookie *next; /* next in the chain */
  char *name;        /* <this> = value */
  char *value;       /* name = <this> */
  char *path;         /* path = <this> which is in Set-Cookie: */
  char *spath;        /* sanitized cookie path */
  char *domain;      /* domain = <this> */
  curl_off_t expires;  /* expires = <this> */
  char *expirestr;   /* the plain text version */
  bool tailmatch;    /* weather we do tail-matchning of the domain name */

  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
  char *version;     /* Version = <value> */
  char *maxage;      /* Max-Age = <value> */

  bool secure;       /* whether the 'secure' keyword was used */
  bool livecookie;   /* updated from a server, not a stored file */
  bool httponly;     /* true if the httponly directive is present */
};

struct CookieInfo {
  /* linked list of cookies we know of */
  struct Cookie *cookies;

  char *filename;  /* file we read from/write to */
  bool running;    /* state info, for cookie adding information */
  long numcookies; /* number of cookies in the "jar" */
  bool newsession; /* new session, discard session cookies on load */
};

/* This is the maximum line length we accept for a cookie line. RFC 2109
   section 6.3 says:

   "at least 4096 bytes per cookie (as measured by the size of the characters
   that comprise the cookie non-terminal in the syntax description of the
   Set-Cookie header)"

   We allow max 5000 bytes cookie header. Max 4095 bytes length per cookie
   name and value. Name + value may not exceed 4096 bytes.

*/
#define MAX_COOKIE_LINE 5000
#define MAX_COOKIE_LINE_TXT "4999"

/* This is the maximum length of a cookie name or content we deal with: */
#define MAX_NAME 4096
#define MAX_NAME_TXT "4095"

struct Curl_easy;
/*
 * Add a cookie to the internal list of cookies. The domain and path arguments
 * are only used if the header boolean is TRUE.
 */

struct Cookie *Curl_cookie_add(struct Curl_easy *data,
                               struct CookieInfo *, bool header, char *lineptr,
                               const char *domain, const char *path);

struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
                                   const char *, bool);
void Curl_cookie_freelist(struct Cookie *cookies);
void Curl_cookie_clearall(struct CookieInfo *cookies);
void Curl_cookie_clearsess(struct CookieInfo *cookies);

#if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_COOKIES)
#define Curl_cookie_list(x) NULL
#define Curl_cookie_loadfiles(x) Curl_nop_stmt
#define Curl_cookie_init(x,y,z,w) NULL
#define Curl_cookie_cleanup(x) Curl_nop_stmt
#define Curl_flush_cookies(x,y) Curl_nop_stmt
#else
void Curl_flush_cookies(struct Curl_easy *data, int cleanup);
void Curl_cookie_cleanup(struct CookieInfo *);
struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
                                    const char *, struct CookieInfo *, bool);
struct curl_slist *Curl_cookie_list(struct Curl_easy *data);
void Curl_cookie_loadfiles(struct Curl_easy *data);
#endif

#endif /* HEADER_CURL_COOKIE_H */
compiler warning: fix Fix compiler warning: empty body in an if-statement 2011-05-21 07:46:37 -04:00			`#ifndef HEADER_CURL_COOKIE_H`
			`#define HEADER_CURL_COOKIE_H`
updated source code boilerplate/header 2002-09-03 07:52:59 -04:00			`/***************************************************************************`
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00			`* _ _ ____ _`
			`* Project ___\| \| \| \| _ \\| \|`
			`* / __\| \| \| \| \|_) \| \|`
			`* \| (__\| \|_\| \| _ <\| \|___`
dual-license fix 2001-01-03 04:29:33 -05:00			`* \___\|\___/\|_\| \_\_____\|`
			`*`
cookies: reject oversized cookies ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894 2017-09-17 18:55:07 -04:00			`* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.`
dual-license fix 2001-01-03 04:29:33 -05:00			`*`
updated source code boilerplate/header 2002-09-03 07:52:59 -04:00			`* This software is licensed as described in the file COPYING, which`
			`* you should have received as part of this distribution. The terms`
URLs: change all http:// URLs to https:// 2016-02-02 18:19:02 -05:00			`* are also available at https://curl.haxx.se/docs/copyright.html.`
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00			`*`
dual-license fix 2001-01-03 04:29:33 -05:00			`* You may opt to use, copy, modify, merge, publish, distribute and/or sell`
			`* copies of the Software, and permit persons to whom the Software is`
updated source code boilerplate/header 2002-09-03 07:52:59 -04:00			`* furnished to do so, under the terms of the COPYING file.`
dual-license fix 2001-01-03 04:29:33 -05:00			`*`
			`* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY`
			`* KIND, either express or implied.`
			`*`
updated source code boilerplate/header 2002-09-03 07:52:59 -04:00			`***************************************************************************/`
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact. 2013-01-06 13:06:49 -05:00			`#include "curl_setup.h"`
Initial revision 1999-12-29 09:20:26 -05:00
			`#include <curl/curl.h>`

			`struct Cookie {`
Added some RFC2109 support 2000-02-01 18:54:51 -05:00			`struct Cookie next; / next in the chain */`
			`char name; / <this> = value */`
			`char value; / name = <this> */`
cookies: follow-up fix for path checking The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62). 2013-06-12 05:19:56 -04:00			`char path; / path = <this> which is in Set-Cookie: */`
			`char spath; / sanitized cookie path */`
Added some RFC2109 support 2000-02-01 18:54:51 -05:00			`char domain; / domain = <this> */`
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to write the result to a given cookie jar and then never actually call curl_easy_perform() - the given file(s) to read was never read but the output file was written and thus it caused a "funny" result. - While doing some tests for the bug above, I noticed that Firefox generates large numbers (for the expire time) in the cookies.txt file and libcurl didn't treat them properly. Now it does. 2005-08-17 04:55:43 -04:00			`curl_off_t expires; /* expires = <this> */`
Added some RFC2109 support 2000-02-01 18:54:51 -05:00			`char expirestr; / the plain text version */`
Many cookie fixes: o Save domains in jars like Mozilla does. It means all domains set in Set-Cookie: headers are dot-prefixed. o Save and use the 'tailmatch' field in the Mozilla/Netscape cookie jars (the second column). o Reject cookies using illegal domains in the Set-Cookie: line. Concerns both domains with too few dots or domains that are outside the currently operating server host's domain. o Set the path part by default to the one used in the request, if none was set in the Set-Cookie line. 2003-04-30 13:03:43 -04:00			`bool tailmatch; /* weather we do tail-matchning of the domain name */`
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00
Added some RFC2109 support 2000-02-01 18:54:51 -05:00			`/* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */`
			`char version; / Version = <value> */`
			`char maxage; / Max-Age = <value> */`
David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00
Added some RFC2109 support 2000-02-01 18:54:51 -05:00			`bool secure; /* whether the 'secure' keyword was used */`
started working on a function for writing (all) cookies, made it possible to read multiple cookie files, no longer writes to the URL string passed to the _add() function. The new stuff is now conditionally compiled on the COOKIE define. Changed the _init() proto. 2001-08-23 10:05:25 -04:00			`bool livecookie; /* updated from a server, not a stored file */`
- Niklas Angebrand made the cookie support in libcurl properly deal with the "HttpOnly" feature introduced by Microsoft and apparently also supported by Firefox: http://msdn2.microsoft.com/en-us/library/ms533046.aspx . HttpOnly is now supported when received from servers in HTTP headers, when written to cookie jars and when read from existing cookie jars. 2008-01-31 07:21:57 -05:00			`bool httponly; /* true if the httponly directive is present */`
Initial revision 1999-12-29 09:20:26 -05:00			`};`

			`struct CookieInfo {`
started working on a function for writing (all) cookies, made it possible to read multiple cookie files, no longer writes to the URL string passed to the _add() function. The new stuff is now conditionally compiled on the COOKIE define. Changed the _init() proto. 2001-08-23 10:05:25 -04:00			`/* linked list of cookies we know of */`
			`struct Cookie *cookies;`
Initial revision 1999-12-29 09:20:26 -05:00
support for ingoring session cookies added 2002-05-07 05:58:13 -04:00			`char filename; / file we read from/write to */`
			`bool running; /* state info, for cookie adding information */`
cookie jar adjustments 2001-08-29 05:32:18 -04:00			`long numcookies; /* number of cookies in the "jar" */`
support for ingoring session cookies added 2002-05-07 05:58:13 -04:00			`bool newsession; /* new session, discard session cookies on load */`
Initial revision 1999-12-29 09:20:26 -05:00			`};`

David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00			`/* This is the maximum line length we accept for a cookie line. RFC 2109`
			`section 6.3 says:`

			`"at least 4096 bytes per cookie (as measured by the size of the characters`
			`that comprise the cookie non-terminal in the syntax description of the`
			`Set-Cookie header)"`

cookies: reject oversized cookies ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894 2017-09-17 18:55:07 -04:00			`We allow max 5000 bytes cookie header. Max 4095 bytes length per cookie`
			`name and value. Name + value may not exceed 4096 bytes.`

David Cohen pointed out that RFC2109 says clients should allow cookies to contain least 4096 bytes while libcurl only allowed 2047. I raised the limit to 4999 now and made the used buffer get malloc()ed instead of simply allocated on stack as before. 2004-06-22 17:15:51 -04:00			`*/`
			`#define MAX_COOKIE_LINE 5000`
			`#define MAX_COOKIE_LINE_TXT "4999"`
Initial revision 1999-12-29 09:20:26 -05:00
cookies: reject oversized cookies ... instead of truncating them. There's no fixed limit for acceptable cookie names in RFC 6265, but the entire cookie is said to be less than 4096 bytes (section 6.1). This is also what browsers seem to implement. We now allow max 5000 bytes cookie header. Max 4095 bytes length per cookie name and value. Name + value together may not exceed 4096 bytes. Added test 1151 to verify Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith Closes #1894 2017-09-17 18:55:07 -04:00			`/* This is the maximum length of a cookie name or content we deal with: */`
			`#define MAX_NAME 4096`
			`#define MAX_NAME_TXT "4095"`
Initial revision 1999-12-29 09:20:26 -05:00
internals: rename the SessionHandle struct to Curl_easy 2016-06-21 09:47:12 -04:00			`struct Curl_easy;`
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests 2001-09-26 03:08:29 -04:00			`/*`
Many cookie fixes: o Save domains in jars like Mozilla does. It means all domains set in Set-Cookie: headers are dot-prefixed. o Save and use the 'tailmatch' field in the Mozilla/Netscape cookie jars (the second column). o Reject cookies using illegal domains in the Set-Cookie: line. Concerns both domains with too few dots or domains that are outside the currently operating server host's domain. o Set the path part by default to the one used in the request, if none was set in the Set-Cookie line. 2003-04-30 13:03:43 -04:00			`* Add a cookie to the internal list of cookies. The domain and path arguments`
			`* are only used if the header boolean is TRUE.`
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests 2001-09-26 03:08:29 -04:00			`*/`
the new cookie functions that require 'data' passed in 2003-08-11 05:56:06 -04:00
internals: rename the SessionHandle struct to Curl_easy 2016-06-21 09:47:12 -04:00			`struct Cookie Curl_cookie_add(struct Curl_easy data,`
Added lots of consts 2007-08-29 01:36:53 -04:00			`struct CookieInfo , bool header, char lineptr,`
			`const char domain, const char path);`
Now we're setting a default domain for received cookies so that we can properly match those cookies in subsequent requests 2001-09-26 03:08:29 -04:00
Added lots of consts 2007-08-29 01:36:53 -04:00			`struct Cookie Curl_cookie_getlist(struct CookieInfo , const char *,`
Indentation fixes, untabify and related whitespace-cleanup. No code changed. 2009-02-27 03:53:10 -05:00			`const char *, bool);`
cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53 2016-10-04 17:26:13 -04:00			`void Curl_cookie_freelist(struct Cookie *cookies);`
Michael Wallner provided a patch that allows "SESS" to be set with CURLOPT_COOKIELIST, which then makes all session cookies get cleared. (slightly edited by me, and the re-indent in cookie.c was also done by me) 2006-05-24 18:46:38 -04:00			`void Curl_cookie_clearall(struct CookieInfo *cookies);`
			`void Curl_cookie_clearsess(struct CookieInfo *cookies);`
Initial revision 1999-12-29 09:20:26 -05:00
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code. 2005-07-27 18:17:14 -04:00			`#if defined(CURL_DISABLE_HTTP) \|\| defined(CURL_DISABLE_COOKIES)`
			`#define Curl_cookie_list(x) NULL`
fix a bunch of MSVC compiler warnings 2011-09-03 10:06:10 -04:00			`#define Curl_cookie_loadfiles(x) Curl_nop_stmt`
disable cookies: remove ifdefs, move code 1 - make sure to #define macros for cookie functions in the cookie header when cookies are disabled to avoid having to use #ifdefs in code using those functions. 2 - move cookie-specific code to cookie.c and use the functio conditionally as mentioned in (1). net result: 6 #if lines removed, and 9 lines of code less 2011-04-04 09:46:42 -04:00			`#define Curl_cookie_init(x,y,z,w) NULL`
fix a bunch of MSVC compiler warnings 2011-09-03 10:06:10 -04:00			`#define Curl_cookie_cleanup(x) Curl_nop_stmt`
			`#define Curl_flush_cookies(x,y) Curl_nop_stmt`
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code. 2005-07-27 18:17:14 -04:00			`#else`
internals: rename the SessionHandle struct to Curl_easy 2016-06-21 09:47:12 -04:00			`void Curl_flush_cookies(struct Curl_easy *data, int cleanup);`
disable cookies: remove ifdefs, move code 1 - make sure to #define macros for cookie functions in the cookie header when cookies are disabled to avoid having to use #ifdefs in code using those functions. 2 - move cookie-specific code to cookie.c and use the functio conditionally as mentioned in (1). net result: 6 #if lines removed, and 9 lines of code less 2011-04-04 09:46:42 -04:00			`void Curl_cookie_cleanup(struct CookieInfo *);`
internals: rename the SessionHandle struct to Curl_easy 2016-06-21 09:47:12 -04:00			`struct CookieInfo Curl_cookie_init(struct Curl_easy data,`
disable cookies: remove ifdefs, move code 1 - make sure to #define macros for cookie functions in the cookie header when cookies are disabled to avoid having to use #ifdefs in code using those functions. 2 - move cookie-specific code to cookie.c and use the functio conditionally as mentioned in (1). net result: 6 #if lines removed, and 9 lines of code less 2011-04-04 09:46:42 -04:00			`const char , struct CookieInfo , bool);`
internals: rename the SessionHandle struct to Curl_easy 2016-06-21 09:47:12 -04:00			`struct curl_slist Curl_cookie_list(struct Curl_easy data);`
			`void Curl_cookie_loadfiles(struct Curl_easy *data);`
Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a simple interface to extracting and setting cookies in libcurl's internal "cookie jar". See the new cookie_interface.c example code. 2005-07-27 18:17:14 -04:00			`#endif`

compiler warning: fix Fix compiler warning: empty body in an if-statement 2011-05-21 07:46:37 -04:00			`#endif /* HEADER_CURL_COOKIE_H */`